Web Services: The Great Buildup

Is the Internet on the verge of profound change, or is new technology simply looking for something to do?Scott Leibs, CFO MagazineMay 1, 2001

A grand new vision of the Internet is emerging, at least among software firms eager to sell the building blocks that would make it possible. While dubbed "Web services," this vision is really about software infrastructure, or the lack thereof. In the Web-services model, companies won't buy software, they'll rent it via the Web.

That's essentially what happens today in the ASP model, but Web services allows the customer to rent components from various sources on the Internet, and mix and match them to create new applications. IT staffers could, in theory, create new applications as easily as they surf Web sites, linking one vendor's database service with another's analytic engine, and perhaps augmenting that with still other companies' credit-authorization or currency-conversion capabilities. Supply-chain partners wouldn't just swap data, they also would link their systems at the most fundamental levels, achieving integration far beyond what today's Web-based exchanges allow.

Two trends are converging to make this vision possible. The first is the maturation of several critical interface standards, including XML, SOAP, UDDI, and WSDL, which provide the means by which software modules can work with, and even "find," one another on the Web. (UDDI, for example, is a searchable directory of all Web services extant.) The other is the enthusiasm for this concept shared by Microsoft, IBM, Sun Microsystems, Hewlett-Packard, and a host of other software vendors that make the tools and programming languages that would underlie this world of Web services.

While the market for these products barely exists, confusion has set in as various vendors trumpet both their adherence to standards and the superiority of their own products. Microsoft and Sun are most clearly positioned as direct competitors, although as AMR Research senior analyst Peter Urban notes, "a program written in [Sun's] Java should be able to talk to a program written in [Microsoft's] C# if they both adhere to SOAP and the other standards."

What the competition is really about, says Mark Desmery, chief technology officer at Duzine.com LLC, a New Paltz, N.Y.-based firm that offers a currency-conversion product in something like a Web-services model, is "a battle for developer mind share." Each vendor wants to establish itself early on as the best source of the products that other software firms and corporate IT departments will need to pursue the Web-services model.

While it exists today mostly as an abstraction, there is a compelling argument for Web services: The Internet can do more than simply provide a pipeline for data. It can act as a de facto infrastructure, augmenting or even replacing costly "back office" installations that are virtually synonymous with IT. And software programs could become more robust and provide greater strategic impact, if they could be created quickly by connecting existing, proven components in new ways.

But companies have been burned by grand visions before. The idea of building software quickly and more cheaply through reusable components has been around for at least 15 years, to little effect; similarly, client-server architectures were supposed to spread computing over a network and reap many rewards. Some of that did come to pass, in the sense that the Internet operates that way, but in a larger sense, no one looks back fondly on client-server initiatives.

Still, Web services not only has the support of major vendors (in March, Microsoft opened a new Silicon Valley technology center devoted to the concept) but it's also already creeping into the market. Duzine's currency-conversion service depends on client-installed software that can reach into the company's server and retrieve the latest conversion rates on an annual-subscription basis. It is a Web- based service, certainly, although since clients must buy and install a small software component, it doesn't follow the pure model espoused by the major vendors.

"To be a pure Web service, we'd have to use standards like SOAP [simple object access protocol], and so would clients," says Desmery. "And that requires both parties to be rocket scientists." Desmery says that while "wizards" supplied by Microsoft and others might simplify the use of SOAP and thus usher in an era of pure Web services, "it's certainly not going to happen this year."

Open Table, a San Francisco manufacturer of CRM (customer relationship management) software aimed at the restaurant and food- services industry, has begun to offer Web services to its clients. American Express, for example, uses Open Table's service to allow visitors to the American Express Web site to make restaurant reservations. Susan Lally, Open Table's vice president of engineering, says, "By packaging our technology as a Web service, we can partner with almost anyone, regardless of their technology." Any company interested in adding a restaurant-reservation capability to its Web site, or within a software application, can do so simply by "pointing" its Web-based application to Open Table (and establishing some form of licensing agreement or business alliance with the company).

Of course, tapping an existing restaurant-reservation function is a simple concept: no one wants to build that if it already exists. But will companies go further, restructuring their systems so that Web services becomes a critical part of their entire IT capability? Some analysts, such as AMR's Urban, say yes, and believe the time is now. "Early adopters will be able to integrate internal and external applications," he says, "and get an advantage over companies that wait to see how this plays out."

Neil Charney, director of Microsoft's .Net enterprise solutions group, says that "it's not easy or obvious how to do it, but the tools are here today. It's not a future vision." The release of Microsoft's VisualStudio.Net developing environment later this year, not to mention a stream of product announcements from other major companies, will ensure that "Web services" remains a hot buzz phrase for many months to come. Whether the availability of so many picks and shovels proves there's gold in them thar' hills, however, remains to be seen.

THE ABCS OF WEB SERVICES

XML (extensible mark-up language). This is the single most important standard for Web services, and for any application that requires structured documents to be exchanged over the Internet. It allows various components of a data stream to be properly identified and interchanged, something Web pages written in HTML can't do. "With XML, my purchase order can talk to your processing system," is how Microsoft's Neil Charney puts it.

SOAP (simple object access protocol). This standard allows applications that want to share XML-encoded data to connect with one another and initiate a transaction.

UDDI (universal description, discovery, and integration). This is a specification for Web-based registries or directories of Web services. A UDDI directory would essentially be a Yellow Pages of Web services. More than 2,000 companies have already signed on. For more information, see www.uddi.org.

COMPUTER SECURITYEncryption Remains a Secret

Phil Zimmermann, the man who successfully battled the federal government over the issue of E-mail privacy, now faces a more formidable foe: corporate indifference. Zimmermann invented PGP (Pretty Good Privacy), an encryption program that is virtually uncrackable. The State Department spent three years rattling its legal sabers, claiming that the propagation of the code around the world (via the Internet) violated the Arms Export Control Act. Once that threat passed, Zimmermann turned his attention to private enterprise. In his darker moments, he must miss the Washington suits: they, at least, paid attention to him.

Companies have spent hundreds of millions of dollars on antivirus software and other security measures, yet almost none has bothered to encrypt E-mail. This despite the fact that it is a treasure trove of intellectual property, rich with details on new products, impending deals, executive transitions, and other critical business information. "We've had trouble getting PGP deployed in large enterprises," says Zimmermann, "even though the effects of E-mail intrusion could be devastating, beyond what any insurance coverage could compensate you for."

One problem with E-mail encryption is that it's not always easy to use. "I presumed an opponent on the level of the NSA [National Security Agency]," says Zimmermann. "But most threats aren't like that, so encryption products can be made easier to use."

Many companies are trying, including Zimmermann's current employer, Hush Communications, makers of Hushmail. Last month, Aegis Systems announced products that use "anonymous key" technology, versus the more widely known "public key" method. Most public-key systems require that a third party manage the "keys," or codes that encrypt and decrypt E- mails. The Aegis system allows a user to encrypt or decrypt a message by just hitting a button and entering a password, and the company says the password part of the process may be phased out soon. Mirapoint Inc.'s new Message Director sys-tem encrypts messages between servers, rather than desktop-to-desktop, so users don't do anything at all. In March, Tumbleweed Communications Corp., one of the market leaders, introduced software that allows IT departments to determine which E- mails should be sent over Tumbleweed's secure channel versus over the Internet. Companies are also bundling encryption with other forms of E- mail protection, such as virus-scanning software and secure archives. "One reason encryption hasn't caught on," says Bruce Schneier, co-founder and chief technical officer of Counterpane Internet Security Inc., "is because it protects mail only in transit, and that's not really where the threat is."

Determining just where the threat is, or whether it exists at all, has also hampered the acceptance of encryption. Viruses and denial-of- service attacks are conspicuous, while E-mail snooping is not, so even companies that have purchased other forms of E-mail security resist encryption. CoSine Communications Inc. signed on with Mirapoint primarily for its antivirus-scanning technology. Tony Boersma, the telecommunications company's director of IT, says that "encryption would have to approach zero cost and zero effort for us to take a look. The client-support issues pose too great a burden."

If the latest figures from the FBI­ Computer Security Institute survey are any indication, however, there is scarcely any aspect of computing that remains invulnerable to hackers, internal abuse, or other threats. Of the 538 companies, universities, and government agencies that responded, 64 percent said they had been the victim of some form of attack or misuse in the past 12 months. The 196 respondents willing or able to quantify their losses suffered an average $2 million in damages, double the average loss in the previous year. -- S.L.

READING OTHERS' MAIL

There's no doubt that companies are becoming more reliant on E-mail-- public relations giant Hill & Knowlton Inc. saw its volume increase 10-fold in a single year. It also saw staff turnover climb as high as 45 percent in some locations, as people flocked to dot-coms, leaving behind co-workers who had little idea where things stood with clients. So the company turned to Intraspect Software Inc. for a novel form of collaborative technology that channels E-mail to a searchable database. The product helps the firm cope not only with its own turnover, but with clients' as well. Ted Graham, H&K's worldwide director of knowledge management services, says, "When new people come on board, we can forward the relevant E-mail correspondence and get them up to speed." Most E-mail systems allow for the creation of shared folders, but Graham says that only Intraspect provided true search capabilities across a widely dispersed network. -- S.L.